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Abstract. In a previous work, we proved that almost all of the Calculus 
of Inductive Constructions (CIC), the basis of the proof assistant Coq, 
can be seen as a Calculus of Algebraic Constructions (CAC), an extension 
of the Calculus of Constructions with functions and predicates defined 
by higher-order rewrite rules. In this paper, we prove that CIC as a 
whole can be seen as a CAC, and that it can be extended with non- 
strictly positive types and inductive-recursive types together with non- 
free constructors and pattern-matching on defined symbols. 

1 Introduction 

There has been different proposals for defining inductive types and functions in 
typed systems. In Girard's polymorphic A-calculus or in the Calculus of Con- 
structions (CC) [9], data types and functions can be formalized by using im- 
predicative encodings, difficult to use in practice, and computations are done 
by /3-reduction only. In Martin-L6f 's type theory or in the Calculus of Inductive 
Constructions (CIC) [10], inductive types and their induction principles are first- 
class objects, functions can be defined by induction and computations are done 
by t-reduction. For instance, for the type nat of natural numbers, the recursor 
rec : (P : nat =4> *)(u : P0)(v : (n : nat)Pn P(sn))(n : nat)Pn is defined by 
the following i-rules: 

rec P u v u 
rec P u v (s n) — > t v n (rec P u v n) 

Finally, in the algebraic setting [11], functions are defined by using rewrite 
rules and computations are done by applying these rules. Since both /3-reduction 
and i- reduction are particular cases of higher-order rewriting [16], proposals 
soon appeared for integrating all these approaches. Starting with [15,2], this 
objective culminated with [4-6] in which almost all of CIC can be seen as a 
Calculus of Algebraic Constructions (CAC), an extension of CC with functions 
and predicates defined by higher-order rewrite rules. In this paper, we go one 
step further in this direction and capture all previous proposals, and much more. 

Let us see the two examples of recursors that are allowed in CIC but not in 
CAC [20]. The first example is a third-order definition of finite sets of natural 
numbers (represented as predicates over nat): 



fin : (nat =>■ *) => * 
femp : fin 

fadd : (x : nat)(p : nat =>■ -k)finp => fin (add x p) 
rec : (Q : (nat => *) =>• *)Q0 

((a; : nat)(p : nat *)finp =4> Qp =4> Q(add x p)) 
(p : nat => *)fin p => Qp 

where = [y : nat]L represents the empty set, add x p — [y : nat]y — x\/ (p y) 
represents the set {x} U p, and the weak recursor rec (recursor for defining 
objects) is defined by the rules: 

rec Q u v p' femp — > u 
rec Q u v p 1 (fadd x p h) — > v x p h (rec Q u v p h) 

The problem comes from the fact that, in fin (add x p), the output type of 
fadd, the predicate p is not a parameter of fin. 1 This can be generalized to any 
big/impredicative dependent type, that is, to any type having a constructor with 
a predicate argument which is not a parameter. Formally, if C : (z : V)* is a 
type and c : (x : T)Cv is a constructor of C then, for all predicate variable x 
occurring in some Tj, there must be some argument v lx — x, a condition called 
(16) in [5]. 

The second example is John Major's equality which is intended to equal 
terms of different types [18]: 

JMeq : (A : *)A => (B : *)B =4> * 
refl : (A : *)(x : A)( JMeq A x A x) 
rec : (A : *)(x : A)(P : (B : *)B => *)(P A x) 

(B : *)(y : B)( JMeq A x B y) => (P B y) 

where rec is defined by the rule: 

rec C x P h C x (refl C x) — > h 

Here, the problem comes from the fact that the argument for B is equal to 
the argument for A. This can be generalized to any polymorphic type having a 
constructor with two equal type parameters. From a rewriting point of view, this 
is like having pattern-matching or non-linearities on predicate arguments, which 
is known to create inconsistencies in some cases [14]. Formally, a rule fl — ► r 
with / : (x : T)U is safe if, for all predicate argument Xi, k is a variable and, if 
Xi and Xj are two distinct predicate arguments, then k ^ lj. An inductive type 
is safe if the corresponding t-rules are safe. 

By using what is called in Matthes' terminology [17] an elimination-based 
interpretation instead of the introduction-based interpretation that we used in 
[5], we prove that recursors for types like fin or JMeq can be accepted, hence that 
CAC essentially subsumes CIC. In addition, we prove that it can be extended 
to non-strictly positive types (Section 7) and to inductive-recursive types [12] 
(Section 8). 

1 This is also the reason why the corresponding strong recursor, that is, the recursor 
for defining types or predicates, is not allowed in CIC (p could be "bigger" than fin). 



2 The Calculus of Algebraic Constructions (CAC) 



We assume the reader familiar with typed A-calculi [3] and rewriting [11]. The 
Calculus of Algebraic Constructions (CAC) [5] simply extends CC by considering 
a set T of symbols, equipped with a total quasi-ordering > (precedence) whose 
strict part is well-founded, and a set 1Z of rewrite rules. The terms of CAC are: 

t ::= s | x | / | [x : t]u \ tu \ (x : t)u 

where s G S = {*,□} is a sort, x G X a variable, f G T , [x : t]u an abstraction, 
tu an application, and (x : t)u a dependent product, written t => u if x does not 
freely occur in u. We denote by FV(t) the set of free variables of t, by Pos(i) the 
set of Dewey's positions of t, and by dom(#) the domain of a substitution 6. 

The sort * denotes the universe of types and propositions, and the sort □ 
denotes the universe of predicate types (also called kinds). For instance, the type 
not of natural numbers is of type * itself is of type □ and nat *, the type 
of predicates over nat, is of type □. 

Every symbol / is equipped with a sort s/ , an arity a / and a type r/ which 
may be any closed term of the form (x : T)U with \x\ = a/ (\x\ is the length of 
x). We denote by 1/ the environment x : T. The terms only built from variables 
and applications of the form ft with \t\ = ctf are called algebraic. 

A rule for typing symbols is added to the typing rules of CC: 

(symb) — 

h / : T f 

A rewrite rule is a pair I — > r such that (1) I is algebraic, (2) I is not a 
variable, and (3) FV(r) C FV(Z). A symbol / with no rule of the form fl^ris 
constant, otherwise it is (partially) defined. We also assume that, in every rule 
fl — > r, the symbols occurring in r are smaller than or equivalent to /. 

Finally, in CAC, /37?.-equivalent types are identified. More precisely, in the 
type conversion rule of CC, is replaced by Ipn'- 

, rht:T T [ fm r r\-r-.s 

(conv) : — 

where u Ip-jz v iff there exists a term w such that u — w and v -^* jn w, 
being the reflexive and transitive closure of — >=— >/3 U — >k- This rule means that 
any term t of type T in the environment r is also of type T' if T and T" have 
a common reduct (and T" is of type some sort s). For instance, if t is a proof of 
P{2 + 2) then t is also a proof of P(4) if TZ contains the following rules: 

x + — ► x 
x + (s y) -> s (x + y) 

This allows to decrease the size of proofs by an important factor, and to 
increase the automation as well. All over the paper, we assume that — > is 
confluent. 



A substitution 9 preserves typing from r to A, written 6 : r ~> A, if, for all 
x £ dom(r), A \- x8 : xT8, where xT is the type associated to x in r. Type- 
preserving substitutions enjoy the following important property: if -T h t : T and 
: r ~> Z\ then Z\ h i<9 : T6>. 

For ensuring the subject reduction property (preservation of typing under 
reduction), every rule fl — > r is equipped with an environment -T and a sub- 
stitution p such that, if / : (x : T)U and 7 = {cc Z}, then I 1 h /Zp : U^p 
and r h r : U-fp. The substitution p allows to eliminate non-linearities due to 
typing. For instance, the concatenation on polymorphic lists (type list : * => ★ 
with constructors nil : (A : -k)listA and cons : (A : *)A => iisi^4 =>- listA) of 
type (A : *)HstA => list A => listA can be defined by: 

app A (nil A') I' -» J' 
app ^4 (cons A' x I) V —> cons A x (app Axil') 
app A (app A' I V) I" -» app A I (app A V I") 

with r = A : -k, x : A,l : listA, I' : listA and p = {A' 1— > ^4}. For instance, 
app A (nil A') is not typable in r (since A' £ dom(r)) but becomes typable if 
we apply p. This does not matter since, if an instance app Aa (nil A' a) is typable 
then Aa is convertible to A' a. Eliminating non-linearities makes rewriting more 
efficient and the proof of confluence easier. 

3 Strong normalization 

Typed A-calculi are generally proved strongly normalizing by using Tait and Gi- 
rard's technique of reducibility candidates [13]. The idea of Tait, later extended 
by Girard to the polymorphic A-calculus, is to strengthen the induction hypoth- 
esis. Instead of proving that every term is strongly normalizable (set SAf), one 
associates to every type T a set [T] C <SjV, the interpretation of T, and proves 
that every term t of type T is computable, i.e. belongs to [T]. Hereafter, we 
follow the proof given in [7] which greatly simplifies the one given in [5] . 

Definition 1 (Reducibility candidates) A term t is neutral if it is not an 

abstraction, not of the form ct with c : (y : U)Cv and C constant, nor of the 
form ft with / defined and \t\ < a/. We inductively define the complete lattice 
TZt of the interpretations for the terms of type t, the ordering <t on TZt, and the 
greatest element T t £ TZt as follows. 

-Ht = {%}, <t=C and T t = if t^ □ and r \f t : □. 
- 7Z S is the set of subsets R C T such that: 
(Rl) R C SJ\f (strong normalization). 

(R2) If t £ R then = {*' | t ->■ t'} C R (stability by reduction). 
(R3) If t is neutral and — >(t) C R then t G R (neutral terms). 
Furthermore, < S =C and T s = SJV. 



- T^(x:U)K is the set of functions R from T x TZu to TZk such that R(u, S) = 
R(u',S) whenever u — > v! , R <( x -.u)k R' iff, for all (u, S) G T x TvL/y, 
R(u, S) < K R'(u, S), and T (x:U ) K (u, S) = T K . 

Note that IZt — TZt> whenever t —* t' and that, for all R G 1Z S , X C R. 

Definition 2 (Interpretation schema) A candidate assignment is a function 
£ from X to IJ {^-t I * ^ ^"}- An assignment £ validates an environment -T, 
written £ ^ .T, if, for all x € dom(-T), G 1Z x r- An interpretation for a symbol 
/ is an element of 1Z Tf . An interpretation for a set (? of symbols is a function 
which, to each symbol g G G, associates an interpretation for g. 

The interpretation of f w.r.t. a candidate assignment £, an interpretation I 
for J 7 and a substitution 6, is defined by induction on t as follows. 

• Mf.e = T t if i is an object or a sort, 

• l x lle = x t 

• Wio = If> 

• \{x : c/)^][ e = {t e T | Vm e MS e 7^,i U g 

. [[a;:^K 9 («,S) = H^ ifl » ) 

where £f = £ U {x i— ► 5} and = 9 U {i nt u}. A substitution is adapted to 
a /^-assignment £ if dom(#) C dom(r) and, for all x G dom(#), x# G [^]|^- A 
pair (£, 6*) is P -valid, written £, 9 \= r, if £ |= r and 6* is adapted to £. 

Note that e = whenever £ and £' agree on the predicate variables 

free in t, 8 and 8' agree on the variables free in t, and / and /' agree on the 
symbols occurring in t. The difficult point is then to define an interpretation for 
predicate symbols and to prove that every symbol / is computable (i.e. f G [t/]). 

Following previous works on inductive types [19,23], the interpretation of 
a constant predicate symbol C is defined as the least fixpoint of a monotone 
function / i— ► ip^ on the complete lattice 1Z TC . Following Matthes [17], there 
is essentially two possible definitions that we illustrate by the case of not. The 
introduction-based definition: 

<pi at = {teSM 1 1 ->* su^uel} 

and the elimination-based definition: 

vLt = {t G T I V(f , 8) r- valid, rec P8 u8 v8 t G [Pn] 1 ^} 

where r — P : nat =>■ *, u : P0,v : (n : nat)Pn =>- P(sn). In both cases, the 
monotonicity of ip na t is ensured by the fact that nat occurs only positively 2 in 



2 X occurs positively in Y => X and negatively in X => Y . In Section 8, we give an 
extended definition of positivity for dealing with inductive-recursive types [12]. 



the types of the arguments of its constructors, a common condition for inductive 
types. 3 . 

In [5], we used the introduction-based approach since this allows us to have 
non-free constructors and pattern-matching on defined symbols, which is forbid- 
den in CIC and does not seem possible with the elimination-based approach. 
Indeed, in CAC, it is possible to formalize the type int of integers by taking the 
symbols : int, s : int =>- int and p : int =>- int, together with the rules: 

s (p x) — > X 
p (s x) — > X 

It is also possible to have the following rule on natural numbers: 

x x (y + z) — > (x x y) + (x x z) 

To this end, we extended the notion of constructor by considering as construc- 
tor any symbol c whose output type is a constant predicate symbol C (perhaps 
applied to some arguments). Then, the arguments of c that can be used to define 
the result of a function are restricted to the arguments, called accessible, in the 
type of which C occurs only positively. We denote by Acc(c) the set of accessible 
arguments of c. For instance, x is accessible in sx since not occurs only positively 
in the type of x. But, we also have x and y accessible in x + y since not occurs 
only positively in the types of x and y. So, + can be seen as a constructor too. 

With this approach, we can safely take: 

tfnt = {te SAf | V/, t ^* fu Vj e Acc(/), Uj e p^} 

where / : (y : U)Cv and 9 = {y i— » it}, whenever an appropriate assignment 
£ for the predicate variables of Uj can be defined, which is possible only if the 
condition (16) is satisfied (see the type fin in Section 1). 

4 Extended recursors 

As we introduced an extended notion of constructor for dealing with the intro- 
duction-based method, we now introduce an extended notion of recursor for 
dealing with the elimination-based method. 

Definition 1 (Extended recursors). A pre-recursor for a constant predicate 
symbol C : (z : V)* is any symbol f such that: 

• the type of f is of the form 4 (z : V)(z : Cz)W , 

3 Mendler proved that recursors for negative types are not normalizing [19]. Take for 
instance an inductive type C with a constructor c : (C — > nab) — > C. Assume now 
that we have p : C — > (C — > nat) denned by the rule p(cx) —> x (case analysis). 
Then, by taking lu = [x : C](px)x, we get ui(ao) — >p p(cu))(cu>) — ► lo(clu) -^p . . . 

4 Our examples may not always fit in this form but since, in an environment, two 
types that do not depend on each other can be permuted, this does not matter. 



• every rule defining f is of the form fztu — > r wii/i FV(r) (~l {2:} = 0, 

• /vtti is head-reducible only if t is constructor-headed. 

A pre-recursor f is a recursor if it satisfies the following positivity conditions: 5 

• no constant predicate D > C or defined predicate F occurs in W , 

• every constant predicate D ~ C occurs only positively in W . 

A recursor of sort * (resp. O) is weak (resp. strong/ Finally, we assume that 
every type C has a set lZec(C) (possibly empty) of recursors. 

For the types C whose set of recursors lZec(C) is not empty, we define the 
interpretation of C with the elimination-based method as follows. For the other 
types, we keep the introduction-based method. 

Definition 2 (Interpretation of inductive types). If every t; t has a normal 
form t* then tfic{t, S) is the set of terms t such that, for all f G lZec(C) of type 
(z : V)(z : Cz)(y : U)V, y£ andyB, ift s z ,e\\ \=y:U then ft* ty 6 G [V]^*.- 
Otherwise, (Pc(t, S) = 57V 

The fact that ip is monotone, hence has a least fixpoint, follows from the 
positivity conditions. One can easily check that <$ J C is stable by reduction: if 
t — ► t' then <Pc(t, S) = <fic(t' , S). We now prove that ^(t, S) is a candidate. 

Lemma 3. ipc(t,S) is a candidate. 

Proof. (Rl) Let t £ R. We must prove that t G SAf. Since Kec(C) ^ 0, there 
is at least one recursor /. Take yi9 = yi and — T^. We clearly have 
iz h V ■ u - Therefore, ft*ty e S = iVj^ g^ . Now, since S satisfies 
(Rl), ft*ty e SAf and t G SAf. 
(R2) Let t G R and t' G -»(*). We must prove that i' G i?, hence that ft*t'yO G 
S 1 = [F]| s fltt . This follows from the fact that ft*tyO G S (since t G i?) and 
S satisfies (R2). 

(R3) Let t be a neutral term such that —*(t) C i?. We must prove that t G R, 
hence that u = ft*ty6 G 5 = [FH S 0tt . Since u is neutral and S satisfies 

>z ' z z 

(R3), it suffices to prove that — >(tt) C 5. Since G 57V by (Rl), we proceed 
by induction on yd with — ► as well-founded ordering. The only difficult case 
could be when u is head-reducible, but this is not possible since t is neutral, 
hence not constructor-headed. □ 

5 Admissible recursors 

Since we changed the interpretation of constant predicate symbols, we must 
check several things in order to preserve the strong normalization result of [5]. 

• We must make sure that the interpretation of primitive types is still 57V 
since this is used for proving the computability of first-order symbols and the 
interpretation of some defined predicate symbols (see Lemma 5). 

6 In Section 8, we give weaker conditions for dealing with inductive-recursive types. 



• We must also prove that every symbol is computable. 

- For extended recursors, this follows from the definition of the interpretation 
for constant predicate symbols, and thus, does not require safety. 

- For first-order symbols, nothing is changed. 

- For higher-order symbols distinct from recursors, we must make sure that 
the accessible arguments of a computable constructor-headed term are com- 
putable. 

- For constructors, this does not follow from the interpretation for constant 
predicate symbols anymore. We therefore have to prove it. 

We now define general conditions for these requirements to be satisfied. 

Definition 4 (Admissible recursors). Assume that every constructor is 
equipped with a set Acc(c) C {1, . . . , a c } of accessible arguments. Let C : (z : 
V)* be a constant predicate symbol. 7Zec(C) is complete w.r.t. accessibility if, 
for all c : (x : T)Cv, j e Acc(c), xrj and xa, if r\ |= T c , va G SAf and 
cxa e [Ct)], ;ff then xja e Pj]rj,<r- 

A recursor f : (z : V)(z : Cz)(y : U)V is head-computable w.r.t a con- 
structor c : (x : T)Cv if, for all xrj, xa , y£, yd, S = \v\ v ,a, if f),v |= r c 
and £f , 9^ <7C Z X ' T \= y : U, then every head-reduct of fva(cxa)y9 belongs to 
IXJff ,0^"%'"' ■ A recursor is head-computable if it is head- computable w.r.t. every 
constructor. lZec(C) is head-computable if all its recursors are head- computable. 

lZec(C) is admissible if it is head- computable and complete w.r.t. accessibility. 

We first prove that the interpretation of primitive types is SAf. 

Lemma 5 (Primitive types). Types equivalent to C are primitive if, for all 
D ~ C , D : -k and, for all d : (x : T)D, Acc(d) = {1, . . . , ad} and every Tj 
is a primitive type E < C. Let C : * be a primitive symbol. If recursors are 
head- computable then Ic = SAf. 

Proof. By definition, Ic Q SAf. We prove that, if t G SAf then t G Ic, by 
induction on t with — > U > as well-founded ordering. Let / : (z : C)(y : U)V be 
a recursor, yt; and y9 such that \= y :U. We must prove that v — ftyd G 
S = iVj^jt Since v is neutral, it suffices to prove that —*(v) C S. We proceed 
by induction on tyO with — > as well-founded ordering {yd G SAf by Rl). If the 
reduction takes place in tyO, we can conclude by induction hypothesis. Assume 
now that v' is a head-reduct of v. By assumption on recursors (Definition 1) , i is 
of the form cu with c : (x : T)C . Since C is primitive, every Uj is accessible and 
every Tj is a primitive type D < C. By induction hypothesis, Uj G Id - Therefore, 
0, {x u} \= T c and, since £, Q\ \= y : U and recursors are head-computable, 
v' e S. □ 

Theorem 6 (Strong normalization). Assume that every constant predicate 
symbol C is equipped with an admissible setlZec{C) of extended recursors distinct 
from constructors. If — ► is confluent and strong recursors and symbols that are 
not recursors satisfy the conditions given in [5] then fiUTZ is strongly normalizing. 



Proof. Let \~f (resp. ) be the typing relation of the CAC whose symbols are 
(resp. strictly) smaller than /. By induction on /, we prove that, if T h/ t : T 
and £,6\= T then t6 £ [T] 4 , e . By (symb), if # < / and \~ f g : r g then h< r g : s g . 
Therefore, the induction hypothesis can be applied to the subterms of r g . 

We first prove that recursors are computable. Let / : (z : V)(z : Cz)(y : U)V 
be a recursor and assume that \= Tf. We must prove that v = fz9z9y9 £ 
S = [V]|,e. Since v is neutral, it suffices to prove that —*{v) C S. We proceed by 
induction on z9z9y9 with — > as well-founded ordering (z9z9y9 £ <SA/" by Rl). 
If the reduction takes place in z9z9y9, we conclude by induction hypothesis. 
Assume now that we have a head-reduct v' . By assumption on recursors (Def- 
inition 1), z9 is of the form cu with c : (x : T)Cv, and v' is a head-reduct of 
vq = fz9*z9y9 where z9* are the normal forms of z9. Since £, 6 \= //, we have 
zff = c«e [Cz]^ = Jc(z6>, Therefore, v € S and, by (R2), v' £ S. 

We now prove that constructors are computable. Let c : {x : T)Cv be a 
constructor of C : (z : V)-*, xr\ and xa such that r), a \= r c . We must prove 
that cxa £ [Cf]^ jCr = Ic(va,S) where S = [u]?j,<t- By induction hypothesis, 
we have va £ SAf. So, let / : (z : V)(^ : Cz)(y : U)V be a recursor of C, y£ 
and y# such that ^f, 9"" z ac ™ (J \= y : U. We must prove that v = fva* (cxa)y9 £ 

5 = {Vj^s fivacwa . Since v is neutral, it suffices to prove that —*(v) C 5. Since 
y0 £ iSA/", we can proceed by induction on y9 with — > as well-founded ordering. 

In the case of a reduction in y9, we conclude by induction hypothesis. In 
the case of a head-reduction, we conclude by head-computability of /. And, in 
the case of a reduction in cxa, we conclude by the computability lemmas for 
function symbols in [5] : if the strong normalization conditions are satisfied and 
accessibility is correct w.r.t. computability, then every reduct of cxa belongs to 
[CuJ^o-. The fact that accessibility is correct w.r.t. computability follows from 
the completeness of the set of recursors w.r.t. accessibility. □ 

6 The Calculus of Inductive Constructions 

As an example, we prove the admissibility of a large class of weak recursors for 
strictly positive types, from which Coq's recursors [22] can be easily derived. 
This can be extended to strong recursors and to some non-strictly positive types 
(see Section 7). 

Definition 7. Let C : (z : V)* and c be strictly positive constructors of C, that 
is, if Ci is of type (x : T)Cv then either no type equivalent to C occurs in Tj 
or Tj is of the form (a : W)Cw with no type equivalent to C occurring in W. 
The parameters of C is the biggest sequence q such that C : (q : Q)(z : V)* and 
each Ci is of type (q : Q)(x : T)Cqv with Tj = (a : W)Cqw if C occurs in Tj. 

The canonical weak recursor 6 of C w.r.t c is rec* c : (q : Q)(z : V)(z : 
Cqz)(P : (z : V)Cqz => *){y : U)Pzz with U { = (x : T)(x' : T')Pv{aqx), 
T' 3 = (a : W)Pw(x 3 a) if Tj = {a : W)Cqw, and T' } = T 3 otherwise, defined 

6 Strong recursors cannot be defined by taking P : (z : V)Cqz □ instead since 
(z : V)Cqz => □ is not typable in CC. They must be defined for each P. 



by the rules rec*qz(aq'x)Py — ► yixt' where t'j — [a : W}(rec*qw(xjCt)Py) if 
Tj = (a : W)Cqw, and t'j = Xj otherwise. 7 

Lemma 8. The set of canonical recursors is complete w.r.t. accessibility? 

Proof. Let c — : (q : Q)(x : T)Cqv be a constructor of C : (q : Q)(z : 
V)*, qrj, XT], qa and xa such that qava G SM and cqaxa G [Cqf],,^ = 
Ic{qava, q£lv} ViU ). Let a = qx and A = QT. We must prove that, for all 
j, ajcr G [A/Itj.ct- For the sake of simplicity, we assume that weak and strong 
recursors have the same syntax. Since qava have normal forms, it suffices to find 
Uj such that rec c qv(cqx)PjUj — ► Ujxt' — aj. Take Uj = [x : T][x' : T']a,j. □ 

Lemma 9. Canonical recursors are head- computable. 

Proof. Let f : (q : Q)(z : V)(z : Cqz)(P : (z : V)Cqz => *)(y : U)Pzz be 
the canonical weak recursor w.r.t. c, T = (z : V)Cqz =>■ *, c = c$ : (q : Q)(x : 
T)Cqv, qrj, qa, xr), xa, P£, P9, y£, yd, R = £ = and 6' = 0^f> a , 

and assume that r),a \= r c and rj£,' ,a9' \= P : T,y : U. We must prove that 
yiOxat'aO G \Pzz\^fi>. 

We have y t 9 G (U^^, U t = {x : T)(x' : T')Pv(cqx) and Xj a G [T^ = 
{Tj\ v z>,ae>- We prove that t'^O G [Tj]^,,^,. If Tj = Tj then t'^6 = x 3 a and 
we are done. Otherwise, Tj = (a : W)Cqw, Tj = (a : W)Pw(xjOt) and 
^ = [a : W]fqw(xjOt)Py. Let a( and 0:7 such that ri^'(,a9'-f \= a : W. Let 
t = Xjaa.^. We must prove that v = fqawa^/tPOyO G S = [Piu(ija)]^^ .aO'-y- 
Since w is neutral, it suffices to prove that —*(v) C 5. 

We proceed by induction on qawajtP9y9 G SAf with — ■> as well-founded 
ordering (we can assume that 100-7 £ <SV since r/ : s/). In the case of a 
reduction in qawa^ftPQyO, we conclude by induction hypothesis. Assume now 
that we have a head-reduct v' . By definition of recursors, v' is also a head-reduct 
of vo = fqa*waj*tP9yO where qa*wa~f* are the normal forms of qawa^f. If 
v G S then, by (R2), v' G S. So, let us prove that vo G S. 

By candidate substitution, S — {Pzzj^s _Q™°~it with S — [«j]^'^ )(T e' 7 = 
[w]7j£C,<T07 for FV(w) C {q,P,x,a}. Since Zj<7 G [Ij]^,^/ and rjCCaO'-y \= 
a :W,t G [C<?Hk'C,<^'7 = Ic(q<rwa-y,qtS). Since Jjf'.ttf 7 |= P : T,y : £7 
and FV(T[7) C {q,P}, we have T]£a6 \= P : T,y : U and jyff .ttfjfr* |= P : 
T,y:U. Therefore, w G 5. □ 

It follows that CAC essentially subsumes CIC as defined in [23]. Theorem 
6 cannot be applied to CIC directly since CIC and CAC do not have the same 
syntax and the same typing rules. So, in [5], we defined a sub-system of CIC, 
called CIC - , whose terms can be translated into a CAC. Without requiring 
inductive types to be safe and to satisfy (16), we think that CIC - is essentially 
as powerful as CIC. 

Theorem 10. The system CIC~ defined in [5] (Chapter 7) is strongly normal- 
izing even though inductive types are unsafe and do not satisfy (16). 



7 We could erase the useless arguments t'j = Xj when Tj = Tj . 

8 In [23] (Lemma 4.35), Werner proves a similar result. 



7 Non-strictly positive types 



We are going to see that the use of elimination-based interpretations allows us to 
have functions defined by recursion on non-strictly positive types too, while CIC 
has always been restricted to strictly positive types. An interesting example 
is given by Abel's formalization of first-order terms with continuations as an 
inductive type trm : * with the constructors [1]: 

var : nat =>■ trm 
fun : nat =>■ (list trm) => trm 
mu : -^^trm trm 

where list : * =>■ * is the type of polymorphic lists, ->X is an abbreviation for 
X => _L (in the next section, we prove that -i can be defined as a function), and 
_L : * is the empty type. Its recursor rec : (A : : nat =>- A) (yi : nat => 

list trm => list A A)(ys : -i-irm => — ■— iA => A)(z : trm) A can be defined by: 

rec A yi y 2 Vz {var n) — > yi n 
rec A yi yi 2/3 (fun n I) — > yi n I (map trm A (rec A y\ yi 2/3) Z) 

rec A j/! j/ 2 2/3 (mu /) -> 2/3 / [a; : ->A](f [y : trm](x (rec A y x y 2 y 3 y)j) 

where map : (A : *) (B : *)(A => B) /isi ^4 =>- Zisi £? is defined by: 

map A B f (nil A') -> (ra/ B) 
map A B f (cons A' x I) — > cons £> (/ ir) (map A B f I) 
map A B f (app A' I V) -> app _B (map A B f I) (map A B f V) 

We now check that rec is an admissible recursor. Completeness w.r.t. acces- 
sibility is easy. For the head-computability, we only detail the case of mu. Let 
fa, t = mu fa, At;, A9 and yd such that 0, a \= F mu and £, aQ\ \= r = A : *, 
y : (7 where fTj is the type of yi. Let 6 = recAOyO, c = [y : trm](x(by)) and 
a = [x : -^A6](fac). We must prove that y^Ofaa G [^4]{,cr6i' = 

Since £,ct0* |= T, y 3 8 G [-.-.trm —A => Since 0, cr |= r mu , fa G 

[-i-itrm]. Thus, we are left to prove that a <G that is, fa cy G 7j_ for all 

2:7 G ["'^li.e- Since fa G [-i-tfrm] , it suffices to prove that 07 G [-itrm], that 
is, xj(by-f) G ij_ for all 2/7 G hrm- This follows from the facts that x-f E l~^AJ^ t e 
and 62/7 G A£ since 2/7 G / tm . 

8 Inductive-recursive types 

In this section, we define new positivity conditions for dealing with inductive- 
recursive type definitions [12]. An inductive-recursive type C has constructors 
whose arguments have a type Ft with F defined by recursion on t : C, that is, 
a predicate F and its domain C are defined at the same time. 

A simple example is the type dlist : (A :*)(#: A =>• A => *)* of lists made of 
distinct elements thanks to the predicate fresh : (A : *)(# : A =>■ A => *)^4 
(dHsi A #) =>■ ★ parametrized by a function # to test whether two elements are 
distinct. The constructors of dlist are: 



nil : (A : *) (# : A => A => *) (dlist A #) 
cons: (A : -k)(#:A=>A=>*)(x : A)(l : dlist A#)(fresh A # x I) => (dlist A #) 



and the rules denning fresh are: 

fresh A#x (nil A 1 ) -> T 
fresh A # x (cons A' y I h) — > A fresh A # x Z 

where T is the proposition always true and A the connector "and". Other exam- 
ples are given by Martin-Lof's definition of the first universe a la Tarski [12] or 
by Pollack's formalization of record types with manifest fields [21]. 

Definition 11 (Positive/negative positions). Assume that every predicate 
symbol f : (x : t)U is equipped with a set Mon + (/) C {i < ctf | Xi € X a } of 
monotone arguments and a set Mon~(/) C {i < af | X{ G X a } of anti- monotone 
arguments. The sets of positive positions Pos + (t) and negative positions Pos - (£) 
in a term t are inductively defined as follows: 

- Pos 5 (.s) = Pos s (x) ={ e \S = +}, 

- Pos s ((x : U)V) = l.¥os- s (U) U 2.Yos s (V), 

- ¥o/([x : U]v) = 2.¥os s (v), 

- ¥os 5 (tu) = l.Pos 6 (i) ift? ft, 

- Po S 5 (ft) = | 5 = +}U U{l |thl 2.Pos e5 (^) | e £ {-,+}, i e Mon e (/)}, 
where S G {— , +}, — h = — and = + (usual rule of signs). 

Theorem 12 (Strong normalization). Definition 1 is modified as follows. A 
pre-recursor f : (z : V)(z : Cz)W is a recursor if: 

• no F > C occurs in W , 

• every F ~ C occurs only positively in W , 

• ifie Mon 5 (C) then Pos(z^W) C Pos 4 (W). 
Assume furthermore that, for every rule Fl —> r: 

• no G > F occurs in r, 

• for all i G Mon e (F), h G X a and Pos(h,r) C Pos £ (r). 
Then, Theorem 6 is still valid. 

Proof. For Theorem 6 to be still valid, we must make sure that <p (see Definition 
2) is still monotone, hence has a least fixpoint. To this end, we need to prove 
that e is monotone (resp. anti-monotone) w.r.t. x£ if x occurs only positively 
(resp. negatively) in t, and that e is monotone (resp. anti-monotone) w.r.t. 
Ic if C occurs only positively (resp. negatively) in t. These results are easily 
extended to the new positivity conditions by reasoning by induction on the well- 
founded ordering used for defining the defined predicate symbols. 

Let us see what happens in the case where t = Ft with F a defined predicate 
symbol. Let < + =< and <~ = >. We want to prove that, if £i < x £2 (i-e. x£i < x^i 
and, for all y ± x, yfr = y&) and Pos(a; ) t) C Pos 4 (t), then < s [t] 1 ^. 

By definition of If, if the normal forms of W matches the left hand-side of 



Fl —> r, then [Ft]|. e = [r]|, a where u is the matching substitution and, for 
all y £ FV(r), yQ = \t Ky \^. te where n y is such that l Ky = y (see [5] for details). 
Now, since Pos(cc, Ft) C Pos s (Ft), Pos(x,t Ky ) C Pos e<5 (i Ki( ) for some e. Hence, 
by induction hypothesis, f^ 5 Now, since Pos(y,r) C Pos e (r), by induction 

hypothesis again, [r]^ ;IT < e2(5 =< (5 [r]^, CT . □ 

For instance, in the positive type irra of Section 7, instead of considering 
-1-1.4 as an abbreviation, one can consider -> as a predicate symbol defined by 
the rule -i4 — > A => _L with Mon~(-i) = {1}. Then, one easily checks that A 
occurs negatively in A => _L, and hence that trm occurs positively in -i-itrm 
since Pos+( -.-.trm) = {1} U 2.Pos~ (-.trm) = {1} U 2.2.Pos+(trm) = {1,2.2}. 

9 Conclusion 

By using an elimination-based interpretation for inductive types, we proved that 
the Calculus of Algebraic Constructions completely subsumes the Calculus of In- 
ductive Constructions. We define general conditions on extended recursors for 
preserving strong normalization and show that these conditions are satisfied by 
a large class of recursors for strictly positive types and by non-strictly posi- 
tive types too. Finally, we give general positivity conditions for dealing with 
inductive-recursive types. 
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